Legal

Privacy Policy

Last updated: [DATE — e.g. 1 June 2025]

This Privacy Policy applies to all users of droppd (droppd.co), including registered users (Owners) and unregistered recipients who access shared project spaces. It is drafted in compliance with the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, and applicable international privacy laws.

1. Data Controller

The data controller responsible for processing your personal data is:

[FULL LEGAL NAME]

[REGISTERED ADDRESS]
[VAT / TAX ID]

Email: privacy@droppd.co

2. Scope

This Privacy Policy applies to:

Registered users (“Owners”) who create an account on droppd.co;
Unregistered recipients (“Clients”) who access a shared project space via a link;
Visitors to the droppd.co website who do not create an account.

It does not apply to files uploaded by users. Owners are independently responsible for the lawfulness of any personal data contained in the files they upload or share.

3. Personal Data We Collect

3.1 Data you provide directly

Account registration: full name, email address, password (stored as a bcrypt hash — never in plaintext), company name (optional).
Billing: name, billing address, payment method (processed directly by Stripe — droppd never stores full card numbers).
Communications: messages sent to our support or privacy address.

3.2 Data collected automatically

Usage data: pages visited, features used, session duration, browser type, OS, language.
Log data: IP address, timestamp, HTTP method, URL path, response code — retained for security and abuse prevention.
Cookies and similar technologies: see Section 9.

3.3 Data generated by use of the service

Project metadata: name, description, expiry date, timestamps, status.
File metadata: filename, MIME type, size, upload timestamp, uploader type. We do not analyse file contents.
Audit log: event type, actor type (Owner/Client), IP address, timestamp.

3.4 Data we do NOT collect

We do not read, scan for content analysis, or sell the contents of files uploaded to project spaces.
We do not collect biometric data, health data, or any special categories under Art. 9 GDPR.

4. Legal Basis for Processing

Performance of a contract (Art. 6(1)(b)): account registration, service delivery, billing, and all core features.
Legitimate interests (Art. 6(1)(f)): security monitoring, fraud prevention, abuse detection, audit logging.
Legal obligation (Art. 6(1)(c)): retention of financial records as required by applicable tax law.
Consent (Art. 6(1)(a)): optional usage analytics. You may withdraw consent at any time in Account › Privacy.

5. How We Use Your Data

To create and manage your account and authenticate your identity.
To provide, operate, and improve the droppd service.
To process payments and issue receipts.
To send transactional emails (account confirmation, password reset, project notifications, subscription receipts).
To detect, investigate, and prevent security incidents and fraudulent activity.
To comply with legal obligations.
To generate aggregated, anonymised analytics to understand feature usage (when analytics is active).

We do not use your personal data for automated decision-making with legal or similarly significant effect (Art. 22 GDPR).

6. Sub-processors

We engage the following sub-processors, each bound by appropriate data processing agreements:

Supabase Inc.	Database, authentication, real-time notifications. Servers in EU.
Cloudflare, Inc.	File storage (R2, EU region), CDN, DDoS protection.
Stripe, Inc.	Payment processing. Card data handled by Stripe directly (PCI-DSS Level 1).
Resend, Inc.	Transactional email delivery.
Vercel, Inc.	Application hosting and edge network.

We do not sell, rent, or share your personal data with third parties for their own marketing purposes.

7. International Data Transfers

Our primary infrastructure is located within the EEA. Some sub-processors (Stripe, Resend, Vercel) are headquartered in the United States. Transfers outside the EEA are safeguarded by Standard Contractual Clauses (SCCs, Commission Decision 2021/914), the EU-US Data Privacy Framework where applicable, and UK International Data Transfer Agreements (IDTAs).

8. Data Retention

Account data	Until account deletion, plus 30 days for backup purposes.
Files in projects	Until project expiry or manual deletion; archived files deleted within 24 hours.
Audit logs	Up to 12 months from creation.
Payment records	10 years (legal/tax obligation).
Email logs	90 days.
Backup snapshots	Maximum 30 days, then permanently overwritten.

You can trigger immediate deletion of your account and all associated data via Account › Danger Zone.

9. Cookie Policy

9.1 Strictly necessary cookies

droppd uses strictly necessary cookies to operate the authentication system. These do not require consent:

sb-[ref]-auth-token — Supabase session token. Duration: session / up to 7 days.
sb-[ref]-auth-token-code-verifier — PKCE verifier for OAuth flows. Duration: session.

9.2 Preference storage

droppd:analytics-consent — stores your analytics preference in localStorage. Persistent until cleared.

9.3 Analytics cookies

Analytics tracking is not yet active on droppd. When activated, it will require your explicit consent, will be fully anonymous, and will not share data with third parties. You can manage your preference at any time in Account › Privacy.

9.4 No advertising cookies

droppd does not serve advertising. No ad-tech platforms set cookies through our service. For full details see our Cookie Policy.

10. Your Rights

Depending on your location, you have the following rights:

Access (Art. 15): request a copy of all personal data we hold about you.
Rectification (Art. 16): request correction of inaccurate data.
Erasure (Art. 17): request deletion of your personal data.
Restriction (Art. 18): request that we limit processing while a dispute is resolved.
Portability (Art. 20): download a machine-readable copy via Account › Privacy › Download JSON.
Object (Art. 21): object to processing based on legitimate interests.
Withdraw consent (Art. 7(3)): withdraw analytics consent at any time without affecting prior processing.

To exercise any right, contact us at privacy@droppd.co. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority (EEA: your national DPA; UK: the ICO at ico.org.uk).

11. US State Privacy Rights

We do not sell or share your personal information for cross-context behavioural advertising. California residents have rights under the CCPA/CPRA including the right to know, delete, correct, and opt out. To exercise these rights, contact us at the privacy email above.

12. Security

Encryption in transit: TLS 1.2+ for all data between your browser and our servers.
Encryption at rest: AES-256 on Supabase and Cloudflare R2.
Passwords stored as bcrypt hashes — never in plaintext.
Role-based access controls; production credentials accessible only to the data controller.
Audit logging on all significant project actions.

In the event of a breach likely to result in risk to your rights, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay (Art. 33–34 GDPR).

13. Children's Privacy

droppd is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have done so inadvertently, please contact us and we will delete it promptly.

14. Changes to This Policy

When we update this policy we will revise the “Last updated” date, notify registered users by email for material changes at least 14 days in advance, and display a notice in the application. Continued use after the effective date constitutes acceptance.

15. Contact

For any privacy-related request or complaint:

[FULL LEGAL NAME]

[REGISTERED ADDRESS]

Email: privacy@droppd.co

We aim to respond within 30 calendar days.